Polymorphic javascript

Wednesday, 27 February 2008

Finding a pattern in malicious javascript is difficult, it’s possible to selectively change the source code yet still execute the same payload. There are many ways to morph Javascript and I shall go through a few of the possibilities and provide examples through Hackvertor (which now supports code morphing).

In order for a pattern to be established the detection mechanism needs to understand hexadecimal, unicode, octal escapes along with general javascript syntax. It’s difficult to maintain polymorphic code without an increase in size, this could be an indicator that malicious code exists because the code only has so many characters it can selectively modify without encoding the whole payload again. Of course an encoding/compression algorithm could maintain the same size but I think this is easier to detect.

A common factor with malicious javascript is the use of eval or external connections, if a site is using eval in more than one instance and on multiple pages it could contain malicious code. Even the use of a single eval is not that common on the average web site and whitelisting the existing known code could be a good way of detecting malicious content.

I believe the best form of defense is attack and therefore I’ve created code morphing tags in Hackvertor, the tags are not comprehensive but provide a good reference on how javascript code can be selectively modified. There are two classes of morph currently in Hackvertor, random morph and full morph. Random mode will modify a small section of the code without changing the result and full mode will encode the entire payload, this is similar to the code morphing script I wrote previously but contains more features.

Random morphing

Unicode morphing can be used in function calls and javascript strings, the following example shows how the alert function can be changed. Click convert a few times to see the different results:-Unicode morph

Finally I’ll show the variable morph, there are more morphs available but I’ll leave you to experiment with them. The variable morph simply selects an individual character and creates a sepate string:-

Full morphing

Advanced examples

The example below shows how to create a javascript link with multiple random morphs which uses hex entity encoding with a unicode and character code random morph.Javascript link url

Here’s how to take a string and randomly encode parts of it with urlencoding and character codes:-Random parts morph

This is my last one now, there are so many combinations I could show you. Click the execute output button to view :-Reversing keywords

The entry 'Polymorphic javascript' was posted
on February 27th, 2008 at 12:45 pm
and last modified on February 27th, 2008 at 4:30 pm, and is filed under hackvertor, javascript, Security.
You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

I developed the tool for XSS pen testing but the codebase could quite easily be used for a variety of different things. It is open source as well so anyone wants to create a version for specific task than they are more than welcome to do so.

If you liked the morphing tags, check out the latest improvement ternary operator string splitting.

Visit this url and then click real time in the black bar to demo:-Ternary morph